As a field engineer, I see two phrases rattle nerves in a control room: voting mismatch and voter fault. In a Triconex safety controller, both point to disagreement somewhere in the triple modular redundant path. The good news is that Triconex diagnostics are designed to find these issues while the plant stays online, and vendor guidance is very clear on how to correct them safely. This article explains what these alarms mean in practice, why they occur, and exactly how I walk them down on site using Triconex’s own tools and Schneider Electric advisories.
Triconex is a triple modular redundant safety PLC. Three independent processing legs, often referred to as A, B, and C, read inputs, execute logic in parallel, and drive outputs with a majority vote. The platform transports and compares data among legs through hardware voting on the internal buses. For digital outputs, a quad voter circuit passes power when any two legs agree; for analog outputs, one leg at a time drives the channel while all three legs continuously verify the result through loop-back readings. This is why diagnostic messages so often mention specific legs by name.
In plain language, a voting mismatch tells you the three channels do not agree, or that a channel’s local self-test has identified a leg that cannot be trusted. On digital output modules, the platform’s documentation uses the term voter fault for this class of issue. That term is specific: per the Triconex manual, voter fault is a diagnostic on digital output modules only. On analog output modules, the Enhanced Diagnostic Monitor shows external mismatch or external error mismatch when the commanded value and measured loop-back do not align, or when a leg’s self-check fails. In both cases, the system is telling you that a redundant leg is unhealthy, not that the safety function has been lost.
In the Enhanced Diagnostic Monitor and its Advanced counterpart, alarms follow a consistent pattern. External mismatch points to analog output disagreement, while leg-centric messages name the affected path explicitly. Internal loop back error leg A, B, or C means a channel’s loop-back check has failed on that leg. No communication on A leg indicates the module cannot talk to the leg’s local microprocessor. Internal Loop Fault Error and Sanity test failed error appear when a module’s self-tests detect conditions that cannot be reconciled. Bad Integer Inputs 1–32 is a diagnostic summary pattern for flagged points within the module’s internal health mapping.
The messages read technical because they are. The essential first step is to parse whether the diagnostic is module-specific and leg-specific, since that tells you how isolated the fault is. Triconex faults are typically leg-centric by design. The module continues operating on the healthy legs, flags the failing leg, and asks you to take action before a second fault occurs.
| Alarm message | Module family | What it means in plain terms | Practical impact in service |
|---|---|---|---|
| External error mismatch | Analog output | Commanded versus measured value disagrees or a leg self-test fails | Module remains in service on healthy legs; plan timely replacement of the faulted module |
| Voter fault | Digital output | Quad voter diagnostics detect disagreement on the DO drive circuitry | Digital output voting detects and isolates a leg; investigate the module’s voter path |
| Internal loop back error (leg A/B/C) | AO or DO | Loop-back reading inconsistent on named leg | Treat as a leg hardware fault; collect diagnostics and plan module replacement |
| No communication on A leg | AO or DO | Loss of communication to leg’s I/O processor | Investigate backplane connection and module electronics; system continues on remaining legs |
| Sanity test failed / Internal Loop Fault | AO or DO | Module self-test failed on a health check | Flags the module for maintenance; proceed with diagnostics and replacement planning |
| Bad Integer Inputs 1–32 | Diagnostic summary | Module health bitmap shows bad status bits | Use as a pointer into detailed diagnostics; correlate with leg-specific alarms |
Understanding the platform’s diagnostic design helps the symptoms make sense. On digital outputs, the Triconex module uses parallel-series paths that only pass power when any two legs agree, and it executes an Output Voter Diagnostic on every point. During this check, the commanded state of a point is briefly reversed in a controlled way on one of the quad drivers, then loop-back verifies that the output circuit responds correctly. On analog outputs, each leg has its own digital-to-analog converter; one leg is designated to drive the field signal at any time, but all three legs read the result through loop-back. If a driving leg shows a fault, the module declares that leg bad and selects a new leg to continue driving, while keeping the output within service and logging the failure.
The result of this design is intentional. The system can surface granular, leg-specific faults without dropping a safety function, giving maintenance a window to replace the weak component while the process continues to run.
Schneider Electric has formally documented a field issue in specific Tricon analog modules manufactured from January 2013 to October 2015, covering models 3701/C/C1, 3700A/C/C1, 3805E/C/C1, 3805H/C/C1, 3806E/C/C1, and 3807/C/C1. The advisory attributes a higher-than-normal failure rate to a combination of aggressive flux and a weak resistor design. The failures are leg-centric and fully diagnosable. The vendor confirmed that the safety-related operation is not affected if the resistor stops working; the condition raises an alarm on a leg, and the system remains in service as long as you replace the module within the expected mean time to repair.
Schneider Electric’s guidance is straightforward. Replace the affected module online within industry-accepted repair windows, and do so before a second fault occurs to maintain the system’s high availability. Warranty coverage on the affected modules is extended to seven years from the date of manufacture. Modules returned for repair receive new resistors with a protective fill that prevents flux contamination. When you open a return, identify the advisory by the code M02363 so service can route it correctly.
When I’m called in for a voting mismatch on a Triconex controller, I follow a consistent path because it aligns with the platform’s diagnostics and with Schneider Electric’s own recommendations. The first move is to confirm the plant is steady and that process safety margins are not compromised. I do not start pulling cards before the control room and safety stakeholders agree the unit is in a stable state and that we have the staffing to support an online repair if needed.
With the process stable, I acknowledge the alarm and attempt a soft reset of the card-level error. If the diagnostic clears and stays quiet, operators continue to monitor and I proceed to data collection to ensure we’re not missing a latent issue. If the error repeats, I connect to the system and run the Enhanced Diagnostic Monitor or the Advanced Diagnostic Monitor. These tools are vendor-provided for precisely this situation. I let the monitor complete its checks, then save the generated diagnostic file and the readable log to the maintenance share.
Vendor involvement is not an afterthought here. The next thing I do is forward that diagnostic file to Schneider Electric service. Their team has tool-specific expertise that speeds root cause confirmation, and they close the loop with a written analysis. While that package is in flight, I review the module’s part number and date code. If the module is one of the analog models made in the January 2013 to October 2015 window, I assume the advisory applies and begin planning an online module replacement, even if the loop-back currently passes on the other legs. When I file the return material authorization, I identify the advisory with the code provided by Schneider Electric so the repair center knows to apply the upgraded resistors.
Throughout, I follow the Tricon Safety Considerations guidance: all logic solver faults can be repaired online without degrading the system, and the platform’s modular design means insertion and replacement are transparent to operation when performed correctly. The point is not to be cavalier. The point is that the vendor designed the system to be serviced online precisely to mitigate the risk of additional failures and human error during drawn-out outages. You replace the faulted component before a second fault, you validate health, and you restore full redundancy while the unit continues to protect the process.
Good evidence shortens the repair time. I capture the diagnostic monitor export, screenshots of the leg-specific alarms, and a short narrative of the operator-observed symptoms. If the plant relies on Sequence of Events records from the Triconex platform, I include the SOE slice around the first alarm, because SOE stamps internal transitions tightly enough to help correlate the mismatch with any process disturbance. Finally, after any online replacement, I document the return to three-healthy-leg status in the diagnostic monitor and note the time it took to complete the swap.
The Schneider Electric advisory for the affected analog modules is explicit. The condition is diagnosable and leg-centric, and it does not disrupt the process or compromise safety if the module is replaced within the expected repair window. The Tricon Safety Considerations Guide generalizes that position: repair a logic solver fault online before a second fault occurs to maintain the highest availability. In day-to-day terms, the controller keeps you protected while you schedule an online replacement, and the design of modular insertion provides a controlled path to restore full redundancy. This is a high-integrity platform doing its job.
That said, policy and risk appetite differ by site. If your safety governance requires a planned outage for any safety-card replacement, work that process. Where policy allows, online replacement is the vendor-recommended path when diagnostics expose a fault on a single leg.
The advisory’s root cause explains the behavior many teams have seen. A resistor design susceptible to contamination by aggressive flux degrades on one leg of the analog output module. The degradation shows up through loop-back as a discrepancy between what the channel should be driving and what it actually reads. Because the module rotates the driving leg and continuously checks loop-back, it flags the failing leg and carries on with a healthy driver. The alarm persists because the module is telling the truth about the failed component. Replacing the module with a repaired unit that has the new resistors with protective fill resolves the mismatch and restores three healthy legs.
Digital output modules use a quad voter circuit to enforce two-out-of-three agreement. The platform documentation reserves the term voter fault for a diagnostic that can occur on a digital output module only. It is worth keeping the label straight because on a Triconex AO module the exact same concept—leg disagreement—surfaces through external mismatch rather than the DO-specific voter fault wording. In practice, you will work both the same way: collect diagnostics, confirm the leg-centric nature of the failure, and replace the module online within a reasonable repair window.
| Path | Advantages | Tradeoffs and cautions | Choose it when |
|---|---|---|---|
| Clear the soft fault and monitor | Quick, zero-impact first step; verifies whether the alarm was transient | Do not rely on clears if the fault reappears; repeated clears delay necessary maintenance | The alarm appears once and does not recur during a reasonable observation period |
| Online module replacement | Aligns with Tricon Safety Considerations; transparent to operation and restores redundancy before a second fault occurs | Requires disciplined execution and proper spares; follow site procedures to manage human-factor risk | A leg-centric fault is confirmed by diagnostics, or the AO module is in the advisory population |
| Planned outage replacement | Simplifies logistics for strict governance environments | Prolongs exposure to a second-fault scenario; unnecessary downtime compared to the vendor-supported online path | Site policy mandates outage work or multiple simultaneous replacements are planned |
The vendor’s own safety guide favors online repair before a second fault to preserve availability. Whenever governance allows, I follow that guidance.
If you maintain spares for Triconex analog output modules, check labels and date codes against the advisory window of January 2013 through October 2015 for models 3701/C/C1, 3700A/C/C1, 3805E/C/C1, 3805H/C/C1, 3806E/C/C1, and 3807/C/C1. The vendor extended warranty on affected units to seven years from the date of manufacture. If you suspect your spares fall into that population, coordinate with Schneider Electric service before installing them in a critical loop. Identify the advisory code when you initiate an RMA so repaired units receive the resistor upgrade with protective fill.
For installed bases outside that window, the same diagnostic-first discipline applies. Keep at least one tested spare for each output module family in service, and store those spares in environmental conditions aligned with the vendor’s recommendations. After any replacement, run the Enhanced Diagnostic Monitor to confirm three healthy legs and export the report for records. When planning purchases, favor current revisions that incorporate component improvements documented by the vendor. If you inherit inventory from other sites, verify manufacturing dates and health before you put them on your shelf.
| What to verify at purchase or RMA | Why it matters | Notes to the buyer |
|---|---|---|
| Module model and manufacturing date | Confirms whether the unit could fall under the advisory population for analog outputs | The advisory covers specific AO models made from January 2013 to October 2015 |
| Warranty eligibility and repair scope | Ensures extended coverage applies and that upgraded resistors with protective fill are installed during repair | Schneider Electric extended warranty to seven years on the affected AO models |
| Inclusion of diagnostic report on return | Documents restored health and three-leg status after repair | Attach the report to the asset record for traceability |
| Vendor case ID or advisory reference | Speeds routing and consistent handling | Identify the advisory with the code provided by Schneider Electric when you submit the RMA |
A few governance habits make voting mismatch alarms rare and short-lived. Keep the safety system independent of the basic process control system across power, I/O, cabinets, networks, and tools; that separation is a core theme in Triconex safety guidance because it lowers common-cause risk. Limit and audit engineering access to the safety network and the TriStation environment, and align logic changes with a formal management-of-change process. When a bypass is necessary, use a time-bound permit with clear annunciation and compensating measures, and reconcile every bypass against safe-state criteria. Treat vendor diagnostic alarms as actionable prompts. The platform’s self-checks exist to surface problems early; acknowledging the alarm is not the same as fixing the root cause.
I keep it simple. The controller still has you protected. The alarm tells us one redundant leg is unhealthy. We will collect the vendor diagnostics now, send the file to Schneider Electric for confirmation, and plan an online replacement of the module before a second leg fails. If the module is an analog output from the advisory window, we will tag it for RMA under the extended warranty so the resistor fix is installed. Operations can continue watching the process, and we will notify you when the module swap is complete and the diagnostics show three healthy legs again.
When the diagnostic says leg A is bad, did we lose our safety function? The design expectation is that you did not. The Triconex diagnostics are leg-centric by design. The platform isolates the failing leg and continues on the healthy legs. The vendor’s advisory for the analog output issue explicitly states that safety operation is not affected if the resistor stops working; the system alarms so you can replace the module within the repair window.
What is the difference between external mismatch and voter fault? External mismatch is the typical analog output message when the loop-back reading disagrees with the command or a leg self-test fails. Voter fault is a term that belongs to digital output modules per the Triconex manual. Both indicate disagreement among redundant paths; the wording follows the module type.
Is it really safe to replace a faulted module online? Tricon Safety Considerations guidance states that logic solver faults can be repaired online and recommends doing so before a second fault to maintain availability. The hardware supports modular insertion and replacement that is transparent to operation when performed correctly. Follow site procedures and vendor documentation to reduce human-factor risk.
Should we try to fix this without contacting the vendor? Use the vendor tools. The Enhanced Diagnostic Monitor and Advanced Diagnostic Monitor produce a diagnostic file that Schneider Electric service can analyze and turn around with a root-cause conclusion. Sending that file early shortens your time to a permanent fix and ensures consistent handling, especially for advisory-related modules.
The practices described here align with Schneider Electric advisories and the Tricon Safety Considerations Guide, which recommend online repair before a second fault and provide extended warranty and repair details for a specific analog output population. The workflow also follows peer guidance from the Automation & Control Engineering Forum, which emphasizes resetting soft faults once, collecting Enhanced Diagnostic Monitor data, and engaging vendor service. Triconex architecture behavior described here matches the Triconex Modules technical documentation, including the way digital outputs use quad voter diagnostics and analog outputs rotate the driving leg with loop-back verification. In nuclear safety contexts, formal FMEA documents reinforce that platform diagnostics are designed to detect and alarm single internal failures, which is exactly the behavior operators see when a leg-centric mismatch appears.
In short, the system is doing what it was built to do: keep you safe, tell you precisely what failed, and let you fix it without shutting down.
When a Triconex voting mismatch alarm hits the HMI, the right response is methodical, not dramatic. Confirm the process is steady, clear the soft fault once, collect Enhanced Diagnostic Monitor data, and get Schneider Electric service engaged while you plan an online replacement. If the module is in the known analog population from early-to-mid last decade, make use of the extended warranty and the resistor upgrade path. The platform’s diagnostics, the advisory’s clarity, and disciplined online maintenance are enough to get you from alarm to resolution with the plant protected the entire time.
Copyright Notice © 2025 mooreautomated.com All rights reserved,Moore Automated is not an authorized distributor or representative of the manufacturers featured on this website. Brand names and trademarks featured are the property of their respective owners.
